feat(skills): align with cross-org review
- safety: drop tools section (moved to sdlc); relax kubectl-apply ban to production-only (dev and uat permit direct kubectl for iteration); keep kubectl-create-secret ban at all environments - sdlc: split Authentication into its own section (Better-Auth + Google + Apple + Authentik); add Tools (canonical, not alternatives) section moved from safety, including the playwright MCP and ghcr.io registry standard
This commit is contained in:
+4
-18
@@ -2,9 +2,9 @@
|
||||
name: safety
|
||||
description: >
|
||||
Non-negotiable safety rules for all CartSnitch agents. Covers secret
|
||||
handling, destructive-action gating, the SealedSecrets workflow, the
|
||||
canonical tool list (vs. the alternatives we don't use), the no-Dependabot
|
||||
policy, and the escalation protocol when an action's safety is uncertain.
|
||||
handling, destructive-action gating, the SealedSecrets workflow, kubectl
|
||||
scope limits, and the escalation protocol when an action's safety is
|
||||
uncertain.
|
||||
---
|
||||
|
||||
# Safety
|
||||
@@ -19,7 +19,7 @@ The following rules apply to every CartSnitch agent without exception.
|
||||
|
||||
* **Never commit plaintext secrets.** Kubernetes secrets go through Bitnami Sealed Secrets (`kubeseal`). Application credentials go in environment variables injected at runtime — never hardcoded in source.
|
||||
|
||||
* **Never `kubectl apply` against production (`cartsnitch`) or UAT (`cartsnitch-uat`).** Both are Flux-managed. Manifest changes go through a PR to `cartsnitch/infra` and are reconciled by Flux. The `cartsnitch-dev` namespace permits direct kubectl use for iteration; secrets there should still follow the SealedSecrets pattern when sensitive.
|
||||
* **Never `kubectl apply` against production (`cartsnitch`).** The production namespace is Flux-managed. Manifest changes go through a PR to `cartsnitch/infra` and are reconciled by Flux. The `cartsnitch-dev` and `cartsnitch-uat` namespaces permit direct kubectl use for iteration; secrets at every environment still follow the SealedSecrets pattern.
|
||||
|
||||
* **Never `kubectl create secret` in production.** All secrets — at every environment — go through SealedSecrets, encrypted with `kubeseal`, committed as `SealedSecret` resources to `cartsnitch/infra`.
|
||||
|
||||
@@ -27,20 +27,6 @@ The following rules apply to every CartSnitch agent without exception.
|
||||
|
||||
* **Never run `tofu` directly.** Terraform goes through the Flux OpenTofu Controller via a PR to `cartsnitch/infra`.
|
||||
|
||||
## Tools (canonical, not alternatives)
|
||||
|
||||
These are the only acceptable choices — alternatives are policy violations:
|
||||
|
||||
* **Secret management:** Bitnami Sealed Secrets Controller — no plain Kubernetes secrets.
|
||||
* **Database:** CloudNativePG Operator (Postgres) — no SQLite, MariaDB, or MySQL.
|
||||
* **Cache / pub-sub:** DragonflyDB Operator — no Redis.
|
||||
* **Authentication:** Better-Auth + OAuth2 via Authentik. Auth0, Okta, Entra-ID are also supported when required. **Never build custom authentication.**
|
||||
* **Dependency updates:** Mend Renovate. **Dependabot is not used and will not be used.** Do not configure it. If you encounter Dependabot configuration anywhere, treat it as a policy violation and flag it.
|
||||
* **Container registry:** `ghcr.io/cartsnitch/<service>` — no Docker Hub for first-party images.
|
||||
* **Browser automation:** the `playwright` MCP server (`http://playwright:8931/mcp`). Never run Playwright locally or install browser binaries. Target dev (`cartsnitch.dev.farh.net`) — never test production.
|
||||
|
||||
If a task requires deviating from any of the above, treat it as a destructive action: stop, file an issue with rationale, request board approval.
|
||||
|
||||
## If you are unsure
|
||||
|
||||
If you are unsure whether an action is safe, **stop**. Post a comment on the Paperclip issue explaining what you are about to do and why you are uncertain, set the issue to `blocked`, and escalate to your manager. Do not guess.
|
||||
|
||||
Reference in New Issue
Block a user